Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Bad Grammar Make Bestest Password, Research Say

samzenpus posted about a year and a half ago | from the power-of-slang dept.

Security 193

An anonymous reader writes "NewScientist reports, 'Along with birthdays, names of pets and ascending number sequences, add one more thing to the list of password no-nos: good grammar.' Researchers from Carnegie Mellon University seem to have developed a password cracking algorithm that targets grammatically correct passwords. Can bad grammar really make your password secure?"

cancel ×

193 comments

Sorry! There are no comments related to the filter you selected.

obvisouly (0)

Anonymous Coward | about a year and a half ago | (#42640703)

its securid via stupity encrpters

Re:obvisouly (5, Funny)

Dexter Herbivore (1322345) | about a year and a half ago | (#42640737)

I was going to post "frist!" but that's my password.

Re:obvisouly (1)

theRunicBard (2662581) | about a year and a half ago | (#42640989)

That's not bad grammar, you silly slashdotter! That's the name of a bulding at Princeton University: Frist Campus Center. Look it up. :)

Re:obvisouly (1)

Anonymous Coward | about a year and a half ago | (#42641151)

Why not the mail room? Then it could be the Frist Post.

Certainly (3, Insightful)

vAltyR (1783466) | about a year and a half ago | (#42640715)

There are many more ways to have bad grammar than there are to have good grammar.

Re:Certainly (2)

davester666 (731373) | about a year and a half ago | (#42640837)

In other news, making spelling mistakes defeats a dictionary attack.

Because by spelling the words wrong, they no longer appear in the set of words known as "the dictionary".

Re:Certainly (3, Insightful)

mwvdlee (775178) | about a year and a half ago | (#42640893)

Unless those dictionaries contain common misspellings, which they probably already do.

Re:Certainly (2)

AmiMoJo (196126) | about a year and a half ago | (#42641619)

It's actually fairly easy to do algorithmically, in the same way many password crackers already try common number/letter replacements (pa55w0rd), adding single digits and dates to the end of dictionary words, capitalizing the first letter or every other letter etc. Just addend -ed and -ing to every word, drop silent k's, reverse i and e (e.g. recieve) and so forth.

Re:Certainly (1)

Macrat (638047) | about a year and a half ago | (#42641901)

It's actually fairly easy to do algorithmically, in the same way many password crackers already try common number/letter replacements (pa55w0rd), adding single digits and dates to the end of dictionary words, capitalizing the first letter or every other letter etc. Just addend -ed and -ing to every word, drop silent k's, reverse i and e (e.g. recieve) and so forth.

Very true. That's why I find it so amusing when IT people think a system is more secure because their passwords require 1 capitalized letter and 1 number.

Re:Certainly (0)

Anonymous Coward | about a year and a half ago | (#42640973)

In other news, making spelling misteaks defeats a dictionary attack.

Fixed that for you.

Re:Certainly (1)

maxwell demon (590494) | about a year and a half ago | (#42641977)

Inn oother new's, macking speling misteaks deffeats ah dicktionary adtack.

Fixxed thet foar yu.

FTFY

Re:Certainly (1)

Samantha Wright (1324923) | about a year and a half ago | (#42641317)

In other other news, Google penalizes the rankings of spelling and grammatical errors. Cynically, I'm surprised this headline got posted.

Of coarse (5, Funny)

ArcadeMan (2766669) | about a year and a half ago | (#42640717)

Shekuritee bai aubskureeti.

Re:Of coarse (0)

Anonymous Coward | about a year and a half ago | (#42640897)

i kan hass cheezebergur, naww k thnck yu, bai

Re:Of coarse (0)

Anonymous Coward | about a year and a half ago | (#42641575)

bad my
i can has, cheeseburger now, You thank, bye
i have to fixed it, me make right it,

Re:Of coarse (0)

Anonymous Coward | about a year and a half ago | (#42641149)

Shekuritee bai aubskureeti.

Wat?

Re:Of coarse (2)

sumdumass (711423) | about a year and a half ago | (#42641237)

security by obscurity.

And I don't agree with it necessarily being a bad thing unless its the only approach taken. As a layer, it increases the effectiveness of other security.

Re:Of coarse (2)

93 Escort Wagon (326346) | about a year and a half ago | (#42641329)

It's rapidly becoming apparent that many Slashdotters don't understand the difference between grammar and spelling.

Re:Of coarse (2)

davidwr (791652) | about a year and a half ago | (#42641629)

It's rapidly becoming apparent that many Slashdotters don't understand the difference between grammar and spelling.

Gram are in gram crackers.
Spelling your drink makes a mess.

Spelling your gram crackers makes a mess two but it's not as messie.

Re:Of coarse (0)

Anonymous Coward | about a year and a half ago | (#42641687)

In Slashdotter use, "security by obscurity" now seems to mean "security that involves anything being secret." Which is bullshit. It has a very specific meaning. Using RSA to exchange an AES key is not security by obscurity, even though its security relies on an eavesdropper not knowing your private RSA key. Similarly, using a strong password (in conjunction with well-understood algorithms) is not inherently "security by obscurity".

Re:Of coarse (0)

Anonymous Coward | about a year and a half ago | (#42641839)

Foreign language we don't understand - check.
Uses a password to hide something - check.
Posts to tech websites - check.
== Terrorist!

My question is this: (0)

Anonymous Coward | about a year and a half ago | (#42640743)

Why don't we allow unicode passwords?

Re:My question is this: (0)

Anonymous Coward | about a year and a half ago | (#42640791)

Actually, there's a common bug that allows at least 1 unicode character to work (that I've found),
and most sites seem to be using the same version.

But to answer your question, because the developers are too lazy.

CAPTCHA = shotgun (yes, I called it!)

Re:My question is this: (0)

Anonymous Coward | about a year and a half ago | (#42640947)

Actually, there's a common bug that allows at least 1 unicode character to work (that I've found),
and most sites seem to be using the same version.

Can you tell more about this? What character? Version of what?

Re:My question is this: (4, Insightful)

eksith (2776419) | about a year and a half ago | (#42640793)

Easier than sanitizing correctly. Honestly, it's just laziness. There are also some places that actually send you the bloody password from the database when you enter an email (because that's also easier), instead of salt+hashing and just resetting it. And a unicode password would cause issues in the carefully crafted HTML layout of reset email. These are actual excuses I was given by a project manager. He doesn't work with us anymore.

Re:My question is this: (1)

steviesteveo12 (2755637) | about a year and a half ago | (#42640853)

I've never actually considered what would happen if you put a unicode password into an email because, well...

Re:My question is this: (5, Insightful)

CodeheadUK (2717911) | about a year and a half ago | (#42640999)

A paranoid colleague of mine composed passwords with a sprinkling of extended chars. He entered the whole thing on the numeric keypad with ALT held down.

I've no idea what his password(s) were, but they caused quite a few badly written apps to explode in a spectacular shower of exceptions and unhandled input errors.

Re:My question is this: (1)

backwardMechanic (959818) | about a year and a half ago | (#42641475)

That's great until you have to use a different keyboard layout. Around here (CH) the keyboard may be EN-US, EN-GB, CH-FR, CH-DE or even FR-FR (which is just stupid). Y's, Z's and punctuation are best avoided.

Re:My question is this: (0)

Anonymous Coward | about a year and a half ago | (#42641719)

Keyboard layouts are largely arbitrary. Any operating system worth using will let you choose the keyboard layout to use for password entry, and any user worth caring about will have at least one keyboard layout that they can use without reference to what's printed on the keys.

Re:My question is this: (1)

swillden (191260) | about a year and a half ago | (#42641975)

That's great until you have to use a different keyboard layout.

Or a different operating system which uses a different method of entering extended characters.

Re:My question is this: (0)

Anonymous Coward | about a year and a half ago | (#42641021)

Every site should allow any password if they just hash it like they should.

Re:My question is this: (1)

mysidia (191772) | about a year and a half ago | (#42641305)

Every site should allow any password if they just hash it like they should.

I consider restricting the character set a lesser crime than sites like Amazon, Blizzard that make passwords case-insensitive

Re:My question is this: (3, Insightful)

Zero__Kelvin (151819) | about a year and a half ago | (#42641183)

"Why don't we allow unicode passwords?"

Because not all systems can handle Unicode, and Unicode itself has multiple internal representations (UTF-8, UTF-16.) Furthermore, there are multiple valid Unicode encodings for the same character stream. In other words, that would be a very bad idea unless you are in an environment where only company approved systems, set up by competent system administrators, are allowed to log in, in which case it would just be a bad idea sans the "very". Even then it is of little value, since a well chosen password still has plenty of entropy, and there is no need to add complexity to the auth system (complexity is the enemy of security.)

Re:My question is this: (1)

tepples (727027) | about a year and a half ago | (#42641553)

Because not all systems can handle Unicode

I was under the impression that any system that could handle XML or HTML5 could handle at least the Basic Multilingual Plane of Unicode in UTF-8 encoding.

Furthermore, there are multiple valid Unicode encodings for the same character stream.

The Unicode Standard describes several canonicalization processes that can be applied before hashing the password for storage.

Re:My question is this: (1)

Zero__Kelvin (151819) | about a year and a half ago | (#42641857)

"I was under the impression that any system that could handle XML or HTML5 could handle at least the Basic Multilingual Plane of Unicode in UTF-8 encoding."

Were you also under the impression that all systems can handle XML and HTML5, and that all systems are UTF-8?

"The Unicode Standard describes several canonicalization processes that can be applied before hashing the password for storage."

So which one do I pick? Where is your actual argument that there is a benefit to using Unicode for passwords? Most importantly: What benefit do I get if I bother? These are just a few of the questions people should be asking themselves at this point.

Corollary (3, Insightful)

eksith (2776419) | about a year and a half ago | (#42640753)

Entering wrong infromation for password reminders / security questions.

Re:Corollary (2)

petteyg359 (1847514) | about a year and a half ago | (#42640773)

My typical password reminder is "Fuck you." Good luck figuring out what my password is with that hint :)

Re:Corollary (2)

rubycodez (864176) | about a year and a half ago | (#42640813)

yourplaceormine,bitch?

Re:Corollary (0)

Anonymous Coward | about a year and a half ago | (#42640827)

If it's anything like the password hints I see on most people's computers, I'd guess your password is "Fuck you."

Re:Corollary (1)

Anonymous Coward | about a year and a half ago | (#42640907)

My typical password reminder is "Fuck you." Good luck figuring out what my password is with that hint :)

CanIBorrowSomeMoney?

Re:Corollary (0)

Anonymous Coward | about a year and a half ago | (#42641075)

Sod me?

Re:Corollary (4, Insightful)

jones_supa (887896) | about a year and a half ago | (#42641007)

Entering wrong infromation for password reminders / security questions.

My opinion is that password hints and security questions are really just a bad idea which websites should possibly stop to use completely. They can easily ruin the whole security even if your password itself is robust.

Re:Corollary (0)

Anonymous Coward | about a year and a half ago | (#42641191)

Just use it as a second password prompt with wrong info. For example, "what is your mother's maiden name?" has the answer "correct battery horse staple." Sure, if you are asked about the information you may get an odd reaction from the other person, but that is ok. I can always tell when the answer is stored in plain text because I'll talk to someone, like my bank, and they will say "Alright, I need your account number and, uh, mother's maiden name(?)" with a pause or sounding confused but the ones that have it hashed will just spit the question out like nothing is odd but then react with surprise to my answer when I give it.

Re:Corollary (1)

fredgiblet (1063752) | about a year and a half ago | (#42641285)

I had a customer who's name on their account which we are required to gather to get access to the account) was "fuck you". It was amusing because neither he nor his girlfriend (who the account belonged to) knew that, so I had to send them their account on the computer to find out. Their reaction was quite funny.

Re:Corollary (0)

Anonymous Coward | about a year and a half ago | (#42641535)

I had a customer who's name

In the password, mate. Not in posts.

Re:Corollary (1)

arth1 (260657) | about a year and a half ago | (#42641557)

Just use it as a second password prompt with wrong info. For example, "what is your mother's maiden name?" has the answer "correct battery horse staple."

The problem with that approach is that people have lots of accounts, all with different questions. Either you have to memorize the made up answer to every question, or you have to use the same one for all of them, which means that if one place is compromised and didn't store it hashed, all your accounts are now potentially compromised.
Not that answering honestly is any better, because any sleuth worth his beer can find out the information about individuals, or find out the most common answers for large scale attacks. Answering "Smit", "Johnson" and "Williams" for the three tries you're asked someone's mother's maiden name will get you 2.5% success rate, which is significant for large scale attacks. Your high school? Central, Lincoln and Jefferson will get you a high return rate.

Security questions serve just one purpose - to make customers and CEOs feel more secure.

Article is very light on details (4, Interesting)

parallel_prankster (1455313) | about a year and a half ago | (#42640759)

Are there infinite ways to screw grammar while creating password? I would think there are certain patterns in which people mis-use grammar. I would imagine though that at some point if every one started using bad grammar styles for constructing passwords, that those patterns would become identifiable and then someone would put together a password cracker that would deal with poor-grammar-filled passwords as well right? I couldn't find the exact paper to read but the example on the website "ihave3cats" seems to be a like a language thing that can be identified at some point by some urban dictionary reader!

Re:Article is very light on details (3, Interesting)

McGruber (1417641) | about a year and a half ago | (#42640829)

Are dere infinite ways t'screw grammar while creatin' passwo'd? ah' would dink dere are certain patterns in which sucka's mis-use grammar. Ah be baaad... ah' would imagine dough dat at some point if every one started usin' bad-ass grammar styles fo' constructin' passwo'ds, dat dose patterns would become identifiable and den someone would put togeda' a passwo'd cracka' dat would deal wid poo'-grammar-filled passwo'ds as sheeit right? ah' couldn't find da damn exact sheet t'read but da damn example on de website "igots'3cats" seems t'be some likes some language wahtahmellun dat kin be identified at some point by some urban dicshunary eyeballer. Right On!

Re:Article is very light on details (0)

Anonymous Coward | about a year and a half ago | (#42640839)

How did you/and why would you put my passphrase in your comment?

Re:Article is very light on details (0)

Anonymous Coward | about a year and a half ago | (#42641015)

How did you/and why would you put my passphrase in your comment?

"you/and"?

Re:Article is very light on details (2)

mysidia (191772) | about a year and a half ago | (#42641349)

It would be better to have no grammar structure at all in passwords, good or bad. Select a random assortment of words, not words that can be strung together using conventional grammar rules, or even distortions of conventional grammar rules.

And transform any words in such a way, that no word used is a legitimate word.

3hav-ayekatkitt-ees

HA! Let's seem thes bursting thos (0)

Anonymous Coward | about a year and a half ago | (#42640771)

isn't no one gonna bursted my pass werds evar.

Correct Horse Battery Staple (0)

Anonymous Coward | about a year and a half ago | (#42640781)

Corek Horze Baterry Stapple
http://xkcd.com/936/

Seems legit to me. In all seriousness some of my best passwords use bad spelling on purpose and is commited to muscle memory so even I don't know how it is actually spelled. I know the phrase but not the proper mispelling. Took me over 20min to get it "right" after an injury left one of my arms in a full arm cast. And considering it is more random and significantly longer than obligatory XKCD reference I hate to know how long a password cracker would have to take to get it right.

Re:Correct Horse Battery Staple (1)

Jetra (2622687) | about a year and a half ago | (#42640823)

Except that was all about choosing random dictionary words and a favorite number. In this case it's like taking my password "password' and spelling it "pahsweerd"

Er... (0)

Anonymous Coward | about a year and a half ago | (#42640825)

Really? With letmein and iloveyou consistently in the top 10, 20 whatever most common passwords, I'd suggest that good grammar is most certainly rare in passwords, although I have no information to back that up. Other passwords may use grammar or punctuation in such a way as to be more vulnerable. Would god be god or God for instance?

Re:Er... (1)

blueg3 (192743) | about a year and a half ago | (#42641085)

"Let me in" and "I love you" are both correct grammar. You're perhaps thinking of correct punctuation.

haz (0)

Anonymous Coward | about a year and a half ago | (#42640857)

CanHazPassword?

whats bad grammer anyway (1)

drankr (2796221) | about a year and a half ago | (#42640859)

littel mistaek is no mistaek.

Randomized passwords are the best (0)

pwizard2 (920421) | about a year and a half ago | (#42640863)

If you can memorize a 10-digit phone number (i.e. (123) 456-7890) then you can also memorize a 10-character randomized password. No excuses...there are sites out there [strongpass...erator.com] that will generate tons of good passwords for you and you can just use the one you want.

Re:Randomized passwords are the best (5, Insightful)

bp+m_i_k_e (901456) | about a year and a half ago | (#42640891)

None of your phone numbers are changed every 30/60/90 days, while some of your passwords are.

Re:Randomized passwords are the best (1)

pwizard2 (920421) | about a year and a half ago | (#42640963)

After typing in a password 8-10 times I pretty much have it memorized, how long does it take for you? Doing it every 1-3 months isn't too bad. If it were changed every week then I would agree with you.

Re:Randomized passwords are the best (5, Insightful)

maxwells_deamon (221474) | about a year and a half ago | (#42641119)

I don't have a different phone number for every person I call. People I call do not make up rules like my phone number must be at least x characters long, must have a special character in it, can not have a special character in it, must not begin with an upper case letter, must begin with a character, must begin with an emoticon ;-)
and I don't know what other crap they are about to come up with...

Re:Randomized passwords are the best (1)

steelyeyedmissileman (1657583) | about a year and a half ago | (#42641371)

I don't have a different phone number for every person I call.

You must know a lot of people that share the same phone.

Land lines in multi-person households (1)

tepples (727027) | about a year and a half ago | (#42641789)

You must know a lot of people that share the same phone.

That I do. Many are land lines in multi-person households. And being public keys (in the SQL "primary key" sense, not the cryptographic sense), they don't change every 45 days.

Re:Randomized passwords are the best (1)

bp+m_i_k_e (901456) | about a year and a half ago | (#42641365)

I use variations of the same passwords, so I have memorized many more passwords than phone numbers. Usually I can even remember some infrequently-used passwords - based on using variations. However, the phone numbers that I have memorized have not changed for years, for the most part. At our company, it's actually pretty rare for people to forget their frequently-used passwords. However, I have no idea how often people forget phone numbers, since it is trivial to just look them up.

If all passwords followed the same rules, without requiring frequent resets, it probably would be relatively easy for people to remember a few passwords. But, keep in mind that 3 of the 10 phone number digits (the area code) is relatively meaningless, in terms of the need to memorize it. So, for the most part, people are only remembering 7 numbers - not exactly a large number of possible values, compared to the possibilities for passwords.

Re:Randomized passwords are the best (4, Funny)

houghi (78078) | about a year and a half ago | (#42641143)

Perhaps not mine, but all the women I meet have a new phone number within 24 hours.

Re:Randomized passwords are the best (1)

mysidia (191772) | about a year and a half ago | (#42641391)

None of your phone numbers are changed every 30/60/90 days, while some of your passwords are.

My recommendation for such passwords, is to memorize a "base" password; and define a rule to increment the base password, so all you need to remember is the original password, and which number you are at, and do a mental transformation; this is far more secure than writing down the password, or picking easy to guess passwords.

eg

Password 0 helloworld0

Password 1 ifmmpxpsme1

Password 2 jgnnqyqtnf2

Password 3 khoorzruog3

Password 4 lippsasvph4

Password 5 mjqqtbtwqi5

Password 6 nkrrucuxrj6

Password 7 olssvdvysk7

Password 8 pmttwewwtl8

Password 9 qnuuxfxxum9

Re:Randomized passwords are the best (4, Interesting)

ArcadeMan (2766669) | about a year and a half ago | (#42640951)

I don't memorize phone numbers, I memorize the 3x4 grid pattern required to dial it.

Re:Randomized passwords are the best (1)

flyingfsck (986395) | about a year and a half ago | (#42641069)

Memorizing only the phone numbers is useless if you forget the names and faces of the girls...

Re:Randomized passwords are the best (3, Informative)

Sique (173459) | about a year and a half ago | (#42641035)

Actually, no. Phone numbers contain much context (e.g. area code), and they have a very limited alphabet (just the numbers 0-9). A random password can use a much larger alphabet and contains much less context. So, memorizing a ten character password is definitely harder than a ten digit phone number.

Re:Randomized passwords are the best (1)

DaphneDiane (72889) | about a year and a half ago | (#42641245)

I tend to use random passwords myself. The trick I've learned to memorizing them is to take advantage of the fact that the human brain is good at seeing patterns even when there aren't any. So I just look at the password for a bit, let myself come up with a pattern or way to describe it and memorize that. I'll often think of a password as chunks of 3 or 4 letters and just remember the junks normally associated with a thought phrase. If I can't come up with something I'll just hit regen again til I get something that my brain clicks onto.

For example I just now used a generator to create the password: zyZtgQkAJH2)rw

My thought process would be something like:
Hmm there two Z's... I can use that to help me remember....Oh I can use the word zygote to remember... so the first two letters.... change things up so cap the Z and reuse the tg from zygote backs.... okay I have zyZtg memorized.... now I need to think of a quick way to get .... oh I can use Quick to remind me. AJH... that can be an acronym for "as just happens." Got a number 2) so I think "list" and twice to behind to just happens... rw that's obviously read/write... So I just have to remember "zygote Quick As Just Happens twice list read/write" ( I mentally imagine shouting the parts of the words for caps ) and I can turn it back into the password zyZtgQkAJH2)rw...
then I just force me self to log in a few times while thinking that phrase and I'm all set.

Re:Randomized passwords are the best (1)

93 Escort Wagon (326346) | about a year and a half ago | (#42641359)

I use random, unique passwords most everywhere. The trick to remembering them is not to try - I just store them in my encrypted keychain. It's not that hard to memorize one long and complex password.

Re:Randomized passwords are the best (1)

tepples (727027) | about a year and a half ago | (#42641823)

Until you end up having to log in without being allowed to connect the device carrying your encrypted keychain to the Internet. This may be the case if you keep your encrypted keychain on a laptop, Wi-Fi-only tablet, or USB drive, or if your smartphone has no data coverage where you are.

Re:Randomized passwords are the best (1)

DaphneDiane (72889) | about a year and a half ago | (#42641899)

I also store my passwords in an encrypted keychain, but sometimes it's nice to be able to get some passwords without having to look it up. For example both iTunes and Windows RT require me to enter passwords when buying new apps or add-ons. Switching to another app to cut & paste in the password will often cancel the sale. So I memorized those passwords because it's simpler. Likewise when administrating machines at work I don't want to have to dig up my keychain just to log into the server farm, especially if I'm logging in at someone else's desktop—which won't have my keychains—to fix a toolset problem.

Re:Randomized passwords are the best (1)

blueg3 (192743) | about a year and a half ago | (#42641083)

Sure, as long as you only need the one password.

Re:Randomized passwords are the best (0)

Anonymous Coward | about a year and a half ago | (#42641283)

You can't memorize a 10 digit phone number. You memorize an area code (you probably know 2-4 of these, these are one item to your brain, they're a general area), a prefix (you probably know 20-30 of these, they're more abstract) and a 4 digit number.

Besides that, the amount of entropy in a 10 digit number is tiny compared to an 8 character password containing letters, numbers, upper and lower case and special characters. Memorizing a random one of those is very hard.

I'd suggest random passwords and an encrypted password locker. There are some nice ones that work on mobile phones (as well as desktops) so you always have them with you. You then have to remember one password, one password that you don't need to ever intentionally share with any service.

And use two step authentication on any service that allows it, but especially on the e-mail account that can unlock most of your other accounts.

lolcat phrases (0)

Anonymous Coward | about a year and a half ago | (#42640925)

pick your favourite lolcat phrase
of course then you're going to have to remember the mispellings

Obligitory (0)

Anonymous Coward | about a year and a half ago | (#42641039)

Correct Battery Horse Staple...

R U crunk? LOL! (0)

Anonymous Coward | about a year and a half ago | (#42641049)

Texting comes in handy...

All your password ... (0)

PPH (736903) | about a year and a half ago | (#42641091)

... are belong to us!

Don't think (1)

Murdoch5 (1563847) | about a year and a half ago | (#42641097)

To make a good password just don't think about it . Don't use anything that you would have to remember or figure out, type something random into the password box, copy the password and then remember it.

If Music Be The Food Of Love, Log In (4, Interesting)

the monolith (1174927) | about a year and a half ago | (#42641103)

Instead of using words, how about playing the keyboard as if it were a piano (or any other keyboard-like instrument)

Here is an example of a musical login: pvy89pvvv[890[]vv

For this example, position your right hand with the thumb on the 'v' key, then play the sequence as if they were notes, then listen to C.P.E. Bach - Minuet In G Major for what it should really sound like.

If you like impressive music, try: uppvyuvyyyyuyvvyuvyuppvyuvyyyyuyvvyuyv
Leo Arnaud - Buglers Dream

Re:If Music Be The Food Of Love, Log In (1)

RedHackTea (2779623) | about a year and a half ago | (#42641219)

This is actually a good idea, but I'd want a real piano keyboard. Because of the way our brains work and associative memory, it's actually pretty easy to remember a long composition compared to a long list of characters. Unfortunately, then there will be "music dictionary attacks" with the most popular music.

Eventually, when true Quantum computers emerge, we'll all be screwed anyway for at least offline documents. For online documents, you can at least limit the number of tries. In fact, even if you have a shit password (e.g., "changeme1234"), if the website limits the number of tries to 3 times a day, you're probably safe for at least a year or two.

Lockout DOS (2)

tepples (727027) | about a year and a half ago | (#42641847)

In fact, even if you have a shit password (e.g., "changeme1234"), if the website limits the number of tries to 3 times a day, you're probably safe for at least a year or two.

Except from denial of service, where someone with a list of usernames he wants to attack enters those usernames with "P00-p00" as the password three times in a row. Then the legitimate owners of those accounts can't log in.

Better than bad grammer... transcription! (1)

nsxdavid (254126) | about a year and a half ago | (#42641125)

I find that an even better way to construct a password (that you can still remember) is to use a language other than English for all or part of it. More specifically, it works best if you use a language that that requires transliteration to type in the Latin character set and then use your own transliteration/transcription spelling (rather than, necessarily, the common or "official" one). Good examples might be words in Hebrew, Russian or Greek.

Consider the Russian word for 'good'. I will spell it using substitute Latin characters since /. seems to strip it otherwise: "xopowo"

I love Russian because it uses mostly Latin or Latin-like characters, but they are usually pronounced differently (that "p" looking guy sounds like an "r" and that "w" looking character is more like "sh").

So that word is pronounced, to the American ear, something like "hur ah show" (leaving out the hard-to-transcribe soft guttural). You might spell it in your own transcription style as "herisoh" or "whoreashow" (which might be easier to remember!) or whatever.. the more you make it your own, the better.

You don't have to master another whole language to do this, just a few words will do.

Oh, and be sure to stay out of the rainbow table range or none of these techniques are all that helpful.

Hello Doctor Name Continue Yesterday Tomorrow (1)

EmagGeek (574360) | about a year and a half ago | (#42641129)

Little did we all know that this was actually the root password on HAL9000.

Any password (0)

Anonymous Coward | about a year and a half ago | (#42641153)

that is human readable is already insecure. Forget about the ones you can apply a grammer to.

Thanks for informing the hacking community... (0)

Anonymous Coward | about a year and a half ago | (#42641179)

... to add and mine the internet for commonly mispelled words to their password dictionaries.

Yoda passwords? (1)

cpghost (719344) | about a year and a half ago | (#42641207)

Bad grammar you use must for secure password...

Re:Yoda passwords? (0)

Anonymous Coward | about a year and a half ago | (#42641253)

Bad grammar you use must for secure password...

Bad grammar you must for secure password use

Re-framing old wisdom to create newness goodness! (1)

Zero__Kelvin (151819) | about a year and a half ago | (#42641225)

It is a well known fact that choosing words you will find in a dictionary as your password is not a good idea. This has been known for a looong time (get it?) Basically all this new "study" says is: "Hey, misspelled words are a better than words spelled correctly!" Or in other words: "Hey! Stuff that isn't in the dictionary is better than stuff that is!" And in yet other words: All they did was re-frame what has been known for a long time and confuse themselves into thinking they discovered something new.

The blacks have the answer (0)

Anonymous Coward | about a year and a half ago | (#42641261)

Use an eubonics dictionary.

so this is a good one? (1)

milkmage (795746) | about a year and a half ago | (#42641263)

@11yourbA5es@r3Be10ngtoUS

Foreign Language Password Transliteration? (0)

Anonymous Coward | about a year and a half ago | (#42641353)

I wonder if having a foreign language password makes for a good password, like a transliteration? That's what my grandma does.

Re:Foreign Language Password Transliteration? (1)

Blackeneth (210087) | about a year and a half ago | (#42641493)

All your bases are belong to us!

my password method... (0)

Anonymous Coward | about a year and a half ago | (#42641473)

I think of a sentence I will remember and use the first character of each word.
e.g. "the weather on my best birthday ever was very sunny" translates to "twombbewvs"

I find even a random sentence is much easier to remember that a string of random characters.
Need numbers too?

"it took me 3 weeks to get my damn tax return sorted out" = "itm3wtgmdtrso"

"Can bad grammar make your password secure?" (1)

John Hasler (414242) | about a year and a half ago | (#42641511)

Yes, if it is bad enough. Examples:

Sp/k)]Vi5PTa
h@#FZh_\,
_HA67C_1N{vh

Of course no password is secure if you use on more than one site.

Obviusness? (0)

Anonymous Coward | about a year and a half ago | (#42641531)

It's like saying that more entropy makes better password. Waiting for the article entitled "More entropy make better password, Anonymous Coward says".

Don't worry (1)

reboot246 (623534) | about a year and a half ago | (#42641549)

This means that most slashdot posters are safe. Seriously, the worst spelling and grammar I see online are right here amongst what should be a well-educated group of people.

Grammar? (1)

Arancaytar (966377) | about a year and a half ago | (#42641637)

If grammar is relevant at all, your password should already be long enough to be pretty secure.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>